Spam Explodes, but You Can Fight Back
As maddening as the situation may sound, there is some good news to report. Major ISPs and mail portals are improving spam filters almost as quickly as spammers can introduce new techniques. "Generally speaking, the experience of end users continues to improve," reports Richi Jennings, an e-mail security analyst working for Ferris Research.
Unfortunately, some other ambitious antispam efforts haven't proved to be terribly effective. Federal authorities have prosecuted a handful of businesses under the three-year-old CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act. But that law has no jurisdiction over spammers overseas, and its provisions are increasingly being ignored. In analyzing 10,000 randomly selected commercial e-mail messages, MX Logic found that less than 1 percent met the law's requirements that such messages include the sender's real street address and a way to opt out of subsequent mailings.
The jury is still out on whether sender-authentication technologies such as Microsoft's Sender ID and Yahoo's DomainKeys will succeed in fighting spam. Sender authentication works this way: Your bank registers the IP addresses of its mail servers. If you get an e-mail that purports to come from your bank but doesn't come from one of the registered addresses, the mail service will delete the message or will at least alert you.
By the end of 2006, according to Craig Spiezle, Microsoft's director of online safety strategy and planning, roughly 40 percent of all legitimate mail received by Hotmail users was being authenticated using Sender ID. But the system works only if major phishing-target sites participate. Another weakness of sender authentication is that some of the sites registering their addresses are actually phishing sites. For example, a phishing site with a domain name that's a misspelled version of a bank's name could publish its mail server information, and Sender ID would authenticate mail from the malicious site. You can see for yourself how well sender authentication works by forwarding your mail to a Hotmail account (to test Sender ID) or to a Yahoo mail account (to test DomainKeys).